How to Get Azure Active Directory token through PHP, azuredirectory

How to Get Azure Active Directory token through PHP, azuredirectory

When calling the Azure Rest API, if it belongs to the Azure Resource Manager API, you need to use Azure Active Directory (Azure AD) authentication to obtain the Token before access.

 

Follow these steps to create an Azure AD application and authorize it to access and manage Azure resources:

For a better reading experience, click here.

 

Note

The following authentication method is only applicable to Azure Resource Manager APIs. That is, the endpoint ismanagement.chinacloudapi.cnIs not applicable to Azure Service Manager APIs (endpoint ismanagement.core.chinacloudapi.cnAPI ).

 

Log on to the Azure account (PowerShell)

 

Record the obtained TenantID for subsequent programs.

 

Select the current subscription ID

To set the current subscription, perform the following steps in a multi-subscription environment:

Set-AzureRmContext -SubscriptionId <subscription ID>

 

Create an AD Application

View the newly created application object and the property ApplicationId, which will be used to create service creden。, role settings, and Access Token in the future.

$azureAdApplication = New-AzureRmADApplication -DisplayName "exampleapp" -HomePage "https://www.contoso.org" -IdentifierUris "https://www.contoso.org/example" -Password "<Your_Password>"

 

Create a service credential

Create a service credential for the Azure AD application:

New-AzureRmADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId

After the service creden are created, you do not have any permissions. You need to set the permission range for them.

 

Authorization

Add role settings for your service creden. In this example, set the read permission to access all resources subscribed to by you for your service creden. For more information, see Azure Role-based Access Control.

New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $azureAdApplication.ApplicationId

WhereRoleDefinitionNameThree permission settings are available:

　　

 

Call the oau2api to obtain the Token.

In this way, the Azure AD Application is created. We can use the following three information to obtain the Token for authentication.

Use the Azure login oau2's authentication interface to obtain the Token. For more information, see this document: Using the Azure Resource Manager rest api.

See the following code:

$tenlent_id = 'Your Sub Tenlent ID';$client_id = 'Application ID';$client_secret = 'Application Password';$auth_url = 'https://login.chinacloudapi.cn/'.$tenlent_id.'/oauth2/token?api-version=1.0';$auth = curl_init($auth_url);$post_data= 'grant_type=client_credentials&resource=https://management.chinacloudapi.cn/&client_id='.$client_id.'&client_secret='.urlencode($client_secret);curl_setopt_array($auth, array(CURLOPT_VERBOSE => 1,CURLOPT_POST => 1,CURLOPT_POSTFIELDS => $post_data,CURLOPT_SSL_VERIFYPEER => false,CURLOPT_SSL_VERIFYHOST => false,CURLOPT_HTTPHEADER => array('Content-Type: application/x-www-form-urlencoded')));curl_exec($atuh);echo "\n";

After the query is executed, the Token data is obtained. The access_token is the access Token.

{"token_type": "Bearer","expires_in": "3600","expires_on": "1455680701","not_before": "1455676801","resource": "https://management.azure.com/","access_token": "eyJ0eXAiOi…"}

Add the Authorization Header to the API Request Header you want to access and set the value:

Bearer must be added before Token.

 

Call example:

$token = 'eyJ0eXA…';$host = 'management.chinacloudapi.cn';$version = '2015-09-01';$url = 'https://'.$host.'/subscriptions/5bbf0cbb-647d-4bd8-b4e6-26629f109bd7/resourceGroups/Default-MySql-ChinaNorth/providers/Microsoft.MySql/servers/poddbtest/databases/kevintest?api-version='.$version;$ch = curl_init($url);$data = array('properties' => array('charset' => 'utf8','collation' => 'utf8_general_ci'),);$json = json_encode($data);curl_setopt_array($ch, array(CURLOPT_VERBOSE => 1,CURLOPT_CUSTOMREQUEST => 'PUT',CURLOPT_POSTFIELDS => $json,CURLOPT_SSL_VERIFYPEER => false,CURLOPT_SSL_VERIFYHOST => false,CURLOPT_HTTPHEADER => array('Content-type:application/json','Authorization:Bearer '.$token)));$ret =curl_exec($ch);if (empty($ret)) {    // some kind of an error happened    echo 'Curl error: ' . curl_error($ch);} else {    $info = curl_getinfo($ch);}echo "\n";